The reason docker is integrating this way is to easily group the rules it introduced.

> I feel Docker should have tried to play nicer with the firewall.

The problem is on the UFW side not setting up properly when other chains are present. UFW is just a front-end for iptables, and docker integrates with iptables. Can the situation be made better? Likely on the UFW side. https://docs.docker.com/network/packet-filtering-firewalls/#...

The docker behaviour is documented...

UFW seems buggy in that it only operates on set of prefixed groups instead of looking at all the groups in iptables. Now, looking at the UFW code: https://git.launchpad.net/ufw/tree/src/backend_iptables.py?h... it seems to setup it's own chains and ignores everything else. It even filters out all other chains unless they're part of UFW.

That's a fair argument - I disagree, but it's a valid perspective and probably the root of the difference in views. I personally expect docker to be a piece that fits into the system to run containers. If docker expects to effectively be the system at least for things in its domain, then that would explain why it does things that I consider out of its scope. (There's an echo here of the argument about systemd; if you expect systemd to be everything between the kernel and userspace, then of course it includes ex. its own ntpd and cron replacement, whereas if you expect it to be a service manager then every extra function looks like an overreach)